zlacker

[return to "The Linux Security Circus: On GUI isolation"]
1. trotsk+37[view] [source] 2011-04-24 02:01:57
>>wglb+(OP)
Qubes seems to be YASTVOS (Yet Another Security Through Virtualization OS). While I'm not going to disagree that Xen vms represent a smaller attack surface than most current installations, that doesn't mean there won't be bugs. If you shift everyone to a solution like this, guaranteed people will be breaking out of it. VMware has had a number of vm escapes.

The other problem is these OS's often don't seem to get very far. Seems like Qubes is launching beta 1. It's the kind of thing that one would expect needing a significant time to shake out.

Which isn't to say I wouldn't like to run a nicely implemented example of the concept. It certainly has the possibility of raising the bar significantly. Of course, it seems like no matter how far windows raises the bar people still keep on jumping it easily.

◧◩
2. rwmj+Fd[view] [source] 2011-04-24 08:33:35
>>trotsk+37
For KVM, we've implement SVirt. We don't trust the main userspace (qemu-kvm) process, and assume that it has been subverted by the guest. We contain it using SELinux rules.

http://selinuxproject.org/page/SVirt

This is now a standard feature in Fedora (since Fedora 11):

http://fedoraproject.org/wiki/Features/SVirt_Mandatory_Acces...

[go to top]